A recent cyber campaign [1] [4] [6], known as UNK_SweetSpecter [1] [2] [3] [5], has been targeting organizations in the United States involved in artificial intelligence efforts.


Tracked by Proofpoint [1], this campaign is believed to be orchestrated by a Chinese-speaking threat actor using a customized variant of the SugarGh0st RAT malware. The focus is on AI experts in US organizations, government agencies [3] [5] [7], and academia [3] [5], indicating a specific interest in AI-related information. The highly targeted nature of these operations suggests a potential motive related to tensions between the US and China regarding AI access and development goals. Less than 10 individuals associated with a prominent US-based AI organization have been targeted, with the objective possibly being to obtain non-public information about generative AI [2]. The malware includes new capabilities for reconnaissance and data exfiltration [3], pointing to an effort to harvest AI secrets for Chinese development objectives. While the attackers have not been definitively linked to a known threat actor [7], they are currently attributed to a temporary UNK_SweetSpecter alias [7]. The SugarGh0st malware is a customized version of the Gh0stRAT trojan, historically used by Chinese groups [7], and was first documented by Cisco Talos in November 2023 in attacks against government targets in Uzbekistan and South Korea [7]. The infection chain in the current campaign against AI experts mirrors that of the November attack [7], with Chinese language artifacts present in the trojan’s code [7]. The attacks involve AI-themed lures in email attachments and have shifted their C2 communications to a new domain [4], account.gommask[. [4]]online.


The targeting of AI experts in the US by the UNK_SweetSpecter campaign raises concerns about the potential theft of sensitive AI-related information. Organizations involved in artificial intelligence efforts should enhance their cybersecurity measures to mitigate the risk of data breaches. The evolving tactics of threat actors underscore the importance of ongoing vigilance and collaboration among stakeholders to address cybersecurity challenges in the AI sector.


[1] https://www.cybersecurity-review.com/sugargh0st-rat-used-to-target-american-artificial-intelligence-experts/
[2] https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american
[3] https://www.darkreading.com/cyberattacks-data-breaches/us-ai-experts-targeted-in-sugargh0st-rat-campaign
[4] https://www.infosecurity-magazine.com/news/sugargh0st-rat-targeted-ai/
[5] https://ciso2ciso.com/us-ai-experts-targeted-in-sugargh0st-rat-campaign-source-www-darkreading-com/
[6] https://ciso2ciso.com/sugargh0st-rat-variant-used-in-targeted-ai-industry-attacks-source-www-infosecurity-magazine-com/
[7] https://www.csoonline.com/article/2111003/us-ai-experts-targeted-in-cyberespionage-campaign-using-sugargh0st-rat.html